The invention, in some embodiments, relates to the field of computer threats, and more specifically to identifying the presence of advanced persistent threats, or malware, on a computer network node.
Advanced persistent threats, such as computer viruses, computer worms, Trojan horses, and other malware, are some of the problematic issues that organization Chief Security Officers (CSO) need to handle. Current security mechanisms are generally unable to cope with, and to prevent, targeted attacks on organizations, and as a result third parties, such as crackers and cyber-terrorists, are able to insert malware into the networks of such organizations. Once malware is present on an organization's network, the malware communicates with command and control mechanisms, which direct the malware as to what data to obtain, where to find such data, and where to send the data once it is obtained. Typically, communication between malware and its command and control uses common protocols, such as HTTP and IRC.
One method currently used for identifying the presence of malware on a network involves signature matching or pattern matching of malware families. For this method to properly identify the presence of malware, the malware must first be caught and analyzed to derive one or more relevant signatures, which signatures are then used to prevent an malware infection by such malware in other computers in the network or in other networks.
Another method, known as “sandboxing”, involves running suspicious code in a secluded emulation environment, also called a sandbox, in order to identify the purpose of the code without the code being able to access network data. For example, a sandbox may be implemented by installing a proxy at the entrance to a network, and executing all HTTP pages prior to forwarding them to the requesting computer within the network. However, some malware programmers have developed methods for circumventing emulation environments, thus reducing the effectiveness of sandboxing. Additionally, even if the malware does not circumvent the emulation environment, execution of all HTTP requests in the sandbox prior to transmission thereof to the requesting node in the network greatly reduces the rate at which data is provided to the network nodes.
In yet other methods, machine learning, behavioral analysis, and classification algorithms are used to find packets within the network traffic which include communication between malware within the network and the control and command mechanism controlling the malware, or other suspicious activities in the network.
Recent reports show that on average, Advanced Persistent Threat attacks remain unidentified within an organization's network for longer than six months, and that more than 66% of organizations are unaware that their network is under attack.
There is thus a need for a system and method for effectively identifying the presence of malware in a computer network, and for identifying a command and control entity with which the malware communicates from within the network.